security and privacy

1Copyright © Prentice Hall 2000

Security and Privacy

Chapter 10Chapter 10

Computers and the InternetComputers and the Internet


Data Security

Decentralized Decentralized networks lend networks lend data vulnerable data vulnerable to intentional to intentional destruction, destruction, alteration, alteration, theft, and theft, and espionage.espionage.


The Network Criminal

The people who attack The people who attack the vulnerability of the vulnerability of data systems possess data systems possess significant computer significant computer expertise and/or have expertise and/or have access to sensitive access to sensitive data.data.


Hackers

Most computer system Most computer system intruders are not intruders are not teenagers. teenagers.

Instead, Instead, most hackers most hackers are competitorsare competitors who who steal proprietary or steal proprietary or sensitive government sensitive government information.information.


Hackers’ Prey

Hackers begin by persuading Hackers begin by persuading unsuspecting people to unsuspecting people to give away their passwords give away their passwords over the phone.over the phone.

Employees should be alerted Employees should be alerted to such scams. to such scams.


Employee Passwords

Employees use Employees use passwords to work on passwords to work on computer systems.computer systems.

Employers expect these Employers expect these passwords to be kept passwords to be kept secret from others.secret from others.


Employee Secrets

The next five slides The next five slides offer helpful offer helpful suggestions and suggestions and guidelines to keep guidelines to keep employee secrets, employee secrets, secret.secret.


1. Avoid Common Names

Common names Common names associated with you are associated with you are naturally easy for you to naturally easy for you to remember, but they are remember, but they are easily cracked.easily cracked.

Pet names are an Pet names are an example.example.


2. Mix-n-Match Characters

Make your password a Make your password a mix of:mix of:

• letters and numbersletters and numbers• upper and lower caseupper and lower case• alphabetic and non-alphabetic and non-

alphabetic charactersalphabetic characters

not2hard

JUST4u

Han$on


3. Store Passwords Wisely

Keep your Keep your password password in your in your head or in head or in a safe, not a safe, not in an in an obvious obvious location.location.


4. Change Password Often

Changing your Changing your password should password should become a habit become a habit so that you lessen so that you lessen the chance of it the chance of it becoming known becoming known to intruders.to intruders.


5. Avoid Hacker Scams

In these scams, the hacker In these scams, the hacker poses as a person to poses as a person to whom you can confide whom you can confide your password.your password.

Regardless of the ruse, Regardless of the ruse, the wise user will not the wise user will not give their password to give their password to anyone.anyone.


Computer Crime

Computer crime Computer crime includes:includes:

• Credit card fraudCredit card fraud• Data communications Data communications

fraudfraud• Unauthorized accessUnauthorized access• Unlawful copyingUnlawful copying


Credit Card Fraud

Credit card customer numbers pass Credit card customer numbers pass between public and private between public and private networks.networks.

Sometimes these numbers are Sometimes these numbers are captured by computer criminals captured by computer criminals and used to commit fraud.and used to commit fraud.


Data Communications Fraud

This form of fraud involves the This form of fraud involves the interception of network passwords interception of network passwords or packets of data passing through or packets of data passing through networks.networks.


Unauthorized Access

Hackers try to gain Hackers try to gain access to confidential access to confidential employee records, employee records, company trade company trade secrets and product secrets and product pricing structures, pricing structures, and much more.and much more.


Unlawful Copying

This category of This category of computer crime computer crime results in major results in major losses for losses for computer computer vendors.vendors.


Compromising Security

Without realizing it, employers and Without realizing it, employers and employees can compromise the employees can compromise the security of their computer system.security of their computer system.

The following slides present some The following slides present some examples of how a system could examples of how a system could be compromised.be compromised.


Some Bad Guy Tricks

• BombBomb• Data diddlingData diddling• PiggybackingPiggybacking• Salami TechniqueSalami Technique• ScavengingScavenging• TrapdoorTrapdoor• Trojan HorseTrojan Horse• ZappingZapping


Bomb

• A “bomb” causes a program A “bomb” causes a program to trigger damage under to trigger damage under certain conditions in the certain conditions in the futurefuture


Data Diddling

• Data diddling Data diddling refers to changing refers to changing data before or as data before or as it enters the it enters the systemsystem

X X


Piggybacking

• An illicit user An illicit user “rides” into the “rides” into the system on the system on the back of another back of another useruser


Salami Technique

• Small “slices” of Small “slices” of money are money are squirreled away squirreled away to a secret to a secret accountaccount


Scavenging

• Passwords and Passwords and other account other account information may information may be found in trash be found in trash cans or recycling cans or recycling binsbins


Trapdoor

• The original The original programmer may programmer may leave an leave an unauthorized unauthorized point of entry to a point of entry to a programprogram


Trojan Horse

• Illegal instructions are Illegal instructions are hidden in the middle of hidden in the middle of the program the program

• These Trojan Horse These Trojan Horse instructions cause instructions cause something destructive something destructive in addition to the in addition to the intended function of intended function of the programthe program


Zapping

• Zapping Zapping encompasses a encompasses a variety of variety of software which software which bypass all bypass all security systemssecurity systems


White Hat Hackers

• Many companies Many companies hire professionals hire professionals to uncover to uncover security problems security problems by trying to break by trying to break into the systeminto the system


Detecting Computer Crime

Most cases are discovered by Most cases are discovered by accident—by actions having accident—by actions having nothing to do with computers.nothing to do with computers.

The The Computer Fraud and Abuse ActComputer Fraud and Abuse Act of 1986 has improved awareness of 1986 has improved awareness of computer-related crimes.of computer-related crimes.


Prosecuting Computer Crime

Eighty-five percent of Eighty-five percent of detected computer detected computer crime is not reported.crime is not reported.

Prosecution is further hampered by Prosecution is further hampered by law enforcement officers, attorneys, law enforcement officers, attorneys, and judges who do not fully and judges who do not fully understand the nature of the violation.understand the nature of the violation.


Security

A system of safeguards is needed to A system of safeguards is needed to protect a computer system and data protect a computer system and data from deliberant or accidental damage from deliberant or accidental damage or access by unauthorized persons.or access by unauthorized persons.


Authorized Access

To assure that only the right person To assure that only the right person is accessing the right computer is accessing the right computer system, various means have been system, various means have been developed based on:developed based on:

• What you doWhat you do• What you areWhat you are

• What you haveWhat you have• What you knowWhat you know


What You Have

This means of This means of authentication is based authentication is based on your having a on your having a physical thing. physical thing.

It might be a key, badge, It might be a key, badge, token, or plastic card.token, or plastic card.


What You Know

Many systems verify Many systems verify authorized access based authorized access based on what you know. on what you know.

This might be a password, This might be a password, identification number, or identification number, or the correct combination the correct combination of numbers on locks.of numbers on locks.


What You Do

This mode of This mode of authorized authorized access is based access is based on something on something you do that is you do that is unique such as unique such as your signature.your signature.


What You Are

This security system uses This security system uses biometrics—the science of biometrics—the science of measuring individual body measuring individual body characteristics.characteristics.

Fingerprints, retinal scans, Fingerprints, retinal scans, and hand characteristics and hand characteristics are examples of what you are examples of what you are.are.


Compromised Systems

When a computer system has been When a computer system has been compromised by a natural or man-compromised by a natural or man-made disaster, the resulting made disaster, the resulting problems might include:problems might include:

• Loss of hardwareLoss of hardware• Loss of softwareLoss of software• Loss of dataLoss of data


Disaster Recovery Plan

• Spells out a method for Spells out a method for restoring computer processing restoring computer processing operations and data filesoperations and data files

• Companies should perform Companies should perform emergency recovery drillsemergency recovery drills


Recovery From Loss of Hardware

There are various approaches to There are various approaches to restoring computer processing restoring computer processing operations:operations:

• revert to manual services.revert to manual services.• temporarily use a service bureau.temporarily use a service bureau.• mutual aid from another company.mutual aid from another company.• pre-planned consortium facilities.pre-planned consortium facilities.


Software Security

Software security has Software security has been an industry been an industry concern for years. concern for years.

At risk here is who At risk here is who owns owns custom-made custom-made softwaresoftware..


Company Ownership of Software

If the programmer was If the programmer was employed by the employed by the company for whom company for whom the software was the software was written, then the written, then the company owns the company owns the software.software.


Programmer Ownership of Custom Software

If the programmer was If the programmer was hired as a consultant, hired as a consultant, then ownership should then ownership should have been addressed have been addressed in the contract in the contract between the company between the company and the programmer.and the programmer.


Data Security

To prevent theft or alteration of data, To prevent theft or alteration of data, security techniques can include: security techniques can include:

• PasswordsPasswords• Built-in software Built-in software protectionprotection• Backup systemsBackup systems

• Secured wasteSecured waste• Internal controlsInternal controls• Auditor checksAuditor checks• Applicant Applicant screeningscreening


Secured Waste

Discarded printouts, printer Discarded printouts, printer ribbons, and the like can ribbons, and the like can be sources of data leaks to be sources of data leaks to unauthorized persons.unauthorized persons.

Paper shredders and locked Paper shredders and locked trash barrels can secure trash barrels can secure these waste products.these waste products.


Internal Controls

These are controls that are These are controls that are planned as part of the planned as part of the computer system. The computer system. The transaction log is an transaction log is an example. example.

This log records all successful This log records all successful or failed attempts to access or failed attempts to access certain data.certain data.


Auditor Checks

Auditors not only go Auditors not only go over the financial over the financial books of a company, books of a company, but also review but also review computer programs computer programs and data.and data.

Discrepancies are noted and investigated.Discrepancies are noted and investigated.


Applicant Screening

The people who will be working with The people who will be working with the computer system should be the computer system should be honest employees.honest employees.

Verifying an Verifying an applicant’s résumé applicant’s résumé can weed out can weed out dishonest employees dishonest employees before they are hired.before they are hired.


Passwords

A password is a secret A password is a secret word, number, or word, number, or combination of the combination of the two. It should not be two. It should not be divulged nor should it divulged nor should it be so simple as to be be so simple as to be easily cracked.easily cracked.


Built-in Software Protection

Software can be built into Software can be built into operating systems in ways operating systems in ways to restrict access to to restrict access to computer systems.computer systems.

This kind of protection This kind of protection matches an authorized matches an authorized user with only the data user with only the data that user should access.that user should access.


Personal Computer Security

• Secure PC hardware with Secure PC hardware with locks and cables locks and cables

• Use surge protectorsUse surge protectors


Backup Systems

Backing up files on a Backing up files on a regular basis is a regular basis is a wise precaution—wise precaution—not only for big not only for big business, but for the business, but for the consumer as well.consumer as well.


Pest Programs

Not all programmers write useful or Not all programmers write useful or beneficial programs.beneficial programs.

Some programmers write pest Some programmers write pest programs that can destroy data, or programs that can destroy data, or in the least, disrupt computer in the least, disrupt computer systems.systems.


Why Write Pest Programs?

Pest programs are written to show Pest programs are written to show off programming prowess, off programming prowess, revenge, sabotage, intellectual revenge, sabotage, intellectual curiosity, or a desire for notoriety.curiosity, or a desire for notoriety.

Pest programs include Pest programs include wormsworms and and virusesviruses..


Computer Worms

A worm is a program A worm is a program that transfers itself that transfers itself from computer to from computer to computer over a computer over a network.network.

At target computers, the worm At target computers, the worm creates a separate file for itself.creates a separate file for itself.


Computer Virus

A computer virus is a set of illicit A computer virus is a set of illicit instructions that gets passed on to instructions that gets passed on to other programs or documents with other programs or documents with which it comes in contact.which it comes in contact.

Viruses can change or delete files, Viruses can change or delete files, display words, or produce bizarre display words, or produce bizarre screen effects.screen effects.


Transmission of Viruses

Viruses can be passed Viruses can be passed on via:on via:

• diskettesdiskettes• a LANa LAN• e-mail attachmentse-mail attachments• a WAN, including the a WAN, including the

InternetInternet


Virus Myths

• You cannot get a virus just by You cannot get a virus just by being on-linebeing on-line

• You cannot get a virus from You cannot get a virus from reading emailreading email

• You cannot get a virus from data You cannot get a virus from data or graphics filesor graphics files


Virus Vaccines

Since viruses are programs Since viruses are programs written by programmers, written by programmers, it takes another it takes another programmer to programmer to detect detect and removeand remove the virus. the virus.

These anti-virus programs are These anti-virus programs are called vaccines.called vaccines.


Your Personal Data

FACTFACT: Computer data about you is : Computer data about you is bought, sold, and traded every day.bought, sold, and traded every day.

FACTFACT: More often than not, the : More often than not, the exchange of data about you occurs exchange of data about you occurs without your knowledge.without your knowledge.


Your Personal Privacy

The front line of The front line of defense in protecting defense in protecting your personal privacyyour personal privacy begins with you.begins with you.

All those forms, surveys, credit card All those forms, surveys, credit card transactions, etc. generate a vast transactions, etc. generate a vast amount of data about you.amount of data about you.


Privacy Legislation

• Fair Credit Reporting ActFair Credit Reporting Act• Freedom of Information ActFreedom of Information Act• Federal Privacy ActFederal Privacy Act• Video Privacy Protection ActVideo Privacy Protection Act• Computer Matching/Privacy Computer Matching/Privacy

Protection ActProtection Act


Network Security

One or more of the following may be One or more of the following may be needed to keep data within a needed to keep data within a network secure:network secure:

• FirewallsFirewalls• EncryptionEncryption• Surveillance softwareSurveillance software• AnonymityAnonymity


Firewalls

This is a simple method to prevent This is a simple method to prevent unauthorized access of a network unauthorized access of a network from the outside.from the outside.


Encryption

Encryption is scrambling data into Encryption is scrambling data into secret codes by using elaborate secret codes by using elaborate mathematical functions.mathematical functions.

Intercepting scrambled data is of no Intercepting scrambled data is of no use to computer criminals.use to computer criminals.

hiding data 4T*v@5 [8fW


Surveillance Software

In addition to firewalls and In addition to firewalls and encryption methods, employers encryption methods, employers might use software that monitors might use software that monitors the activity of their workers.the activity of their workers.


Anonymity

Network security can also Network security can also include keeping the e-include keeping the e-mail address identity of mail address identity of employees anonymous.employees anonymous.

This measure reduces junk e-mailings This measure reduces junk e-mailings and protects the employee’s identity.and protects the employee’s identity.


Junk Email (SPAM)

• Newsgroup messages are a prime Newsgroup messages are a prime source of email addressessource of email addresses

• Use of filter software reduces the Use of filter software reduces the amount of SPAM receivedamount of SPAM received


Protecting Children

• Blocking software is used to Blocking software is used to prevent access to known prevent access to known objectionable web sitesobjectionable web sites

• The Children’s Online Privacy The Children’s Online Privacy Act requires web sites to obtain Act requires web sites to obtain parental consent before parental consent before obtaining information from obtaining information from children under 13children under 13


Ethics and Privacy

• Suppose you are a programmer for Suppose you are a programmer for a medical organization, and while a medical organization, and while working, you see records about a working, you see records about a celebrity. Is it ethical to describe celebrity. Is it ethical to describe the medical treatment to your the medical treatment to your friends?friends?


Conclusion

Security and privacy are important Security and privacy are important issues in the Information Age.issues in the Information Age.

The computer industry as well as The computer industry as well as private citizens share responsibility private citizens share responsibility in addressing these issues.in addressing these issues.

security and privacy

Documents